Security Advisory: Multiple Vulnerabilities in Phoenix Contact Routers
Introduction
This is the fourth security advisory we release that is related to the introduction of a "zero-day identification" module that performs static code analysis on proprietary applications found within firmware uploaded to ONEKEY's platform. You can find the first three here: Asus M25 NAS Vulnerability, Multiple Vulnerabilities in NetModule Routers, and Unauthenticated Configuration Export in Multiple WAGO Products.
Phoenix Contact is a manufacturer of industrial grade routers. The vulnerabilities identified within the web management interface allow authenticated users to execute arbitrary commands with elevated privileges or to access any file on the system.
These vulnerabilities were automatically identified by our platform during one of those industrial routers' firmware scan:
All our findings were validated using an emulated device and reported to Phoenix Contact, whose PSIRT team confirmed our findings.
| Affected vendor & product |
|
| Vendor Advisory |
Security Advisory for Phoenix Contact TC ROUTER and CLOUD CLIENT |
| Vulnerable version |
< 4.5.7x.107 |
| Fixed version |
4.5.7x.107 |
| CVE IDs | |
| Impact (CVSS) | 8.8 (high) - AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Credit | Q. Kaiser, ONEKEY Research Lab Research supported by Certainity |
Authenticated Command Injection
Summary
The web administration interface executes an OS command constructed with unsanitized user input.
Impact
A successful exploit could allow an authenticated user to execute arbitrary commands with elevated privileges.
Description
The web admin interface is written in PHP and has a page allowing for GNSS receiver configuration at
/home/www-data/admin/gnssAutoAlign.php. On line 36, the script calls
exec with an unsanitized $device_id variable obtained from the POST request on line 6:<?php
require_once('config/config.php');
if (isset($c))
$device_id = $c;
else
$device_id = $_REQUEST['device_id'];
$status = "disabled";
define("STATUS_FILENAME", "/tmp/status/gnss". $device_id ."/dr-auto-align");
define("ANGLES_FILENAME", "/tmp/status/gnss". $device_id ."/dr-auto-align-angles");
define("PID_FILENAME", "/run/gnss". $device_id ."/dr-auto-align.pid");
if (file_exists(STATUS_FILENAME)) {
$statusfile = fopen(STATUS_FILENAME, "r");
$status = fread($statusfile, filesize(STATUS_FILENAME));
fclose($statusfile);
}
$yaw = "n/a";
$pitch = "n/a";
$roll = "n/a";
if (file_exists(ANGLES_FILENAME)) {
$anglesfile = fopen(ANGLES_FILENAME, "r");
$angles = fread($anglesfile, filesize(ANGLES_FILENAME));
fclose($anglesfile);
$angles = explode("\n", $angles);
$yaw = explode("yaw: ", $angles[0])[1];
$pitch = explode("pitch: ", $angles[1])[1];
$roll = explode("roll: ", $angles[2])[1];
}
if (isset($_POST['toggleAlignment'])) {
if ($status == "disabled") {
exec("/usr/local/sbin/www-scripts/various/doAutoAlignment " . $device_id . " > /dev/null &");
$status = "starting";
}
else {
exec("kill $(cat ". PID_FILENAME . ")");
$status = "stopping";
}
}Authenticated Path Traversal
Summary
The web administration interface is vulnerable to path traversals, which could lead to arbitrary file uploads and deletion.
Impact
By uploading a malicious PHP file within the web administration root directory, an authenticated user could gain unconstrained remote command execution.
Description
The web admin interface is written in PHP and has a page to handle what they call "SDK jobs" at
/home/www-data/admin/include/sdkJobs.php. This script calls move_uploaded_file on line 320 with unsanitized user input:if (!move_uploaded_file($_FILES["scriptUpload"]["tmp_name"], $uploadpath))
The unsanitized user input is constructed this way:
$name = trim($_POST['scriptName']); $uploadpath = UPLOAD_DIR . "/" . $name;
Key Takeaways
This advisory serves as another example of a high-risk vulnerability gone by unnoticed by the vendor, which may end up in mission-critical environments. With increasing obligations also for operators of essential or important entities to practice third-party due diligence, automated security analysis are an effective measure to fulfill these requirements and to avoid deploying vulnerable devices in the field.
Timeline
2022-10-21 – Sent coordinated disclosure request to psirt@phoenixcontact.com
2022-10-21 – Confirmation & discussion with Phoenix Contact to explain the vulnerability.
2022-11-15 – Coordination between Phoenix Contact and ONEKEY on firmware release planning.
2023-03-07 – Phoenix Contact releases fixed firmware and its security advisory
2023-03-28 – ONEKEY releases its advisory
About Onekey
ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of the automated ONEKEY Product Cybersecurity & Compliance Platform (OCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.
CONTACT:
Sara Fortmann
Senior Marketing Manager
sara.fortmann@onekey.com
euromarcom public relations GmbH
team@euromarcom.de
RELATED RESEARCH ARTICLES
Security Advisory: Remote Code Execution on Viasat Modems (CVE-2024-6199)
Explore ONEKEY Research Lab's security advisory detailing a critical vulnerability in Viasat modems. Learn about the risks and recommended actions.
Security Advisory: Remote Code Execution on Viasat Modems (CVE-2024-6198)
Explore ONEKEY Research Lab's security advisory detailing a critical vulnerability in Viasat modems. Learn about the risks and recommended actions.
Unblob 2024 Highlights: Sandboxing, Reporting, and Community Milestones
Explore the latest developments in Unblob, including enhanced sandboxing with Landlock, improved carving reporting, and χ² randomness analysis. Celebrate community contributions, academic research collaborations, and new format handlers, while looking forward to exciting updates in 2025.
Ready to automate your Product Cybersecurity & Compliance?
Make cybersecurity and compliance efficient and effective with ONEKEY.